Identity, Cloud Security

Why managing machine identities has become a critical part of the security equation

Today’s columnist, Chris Hickman of Keyfactor, writes that whether it’s to scale, embrace zero-trust, or shift to the cloud, managing machine identities will play a major role. (Photo by Sean Gallup/Getty Images)

A report we published recently with the Ponemon Institute based on more than 1,200 responses from security pros discovered that digital identities create operational challenges for modern businesses. As the number of machine identities far outnumbers their human counterparts, Keyfactor hoped to offer practical advice to resolve the issue.

Today’s modern enterprises rely on thousands of devices and applications to conduct day-to-day operations. Similar to the humans that make up an organization, each device should have its own identity and that security teams must properly manage and secure. However, unlike humans, machine identities come in the form of digital certificates and cryptographic keys, such as Transport Layer Security (TLS) certificates, Secure Shell (SSH) keys and encryption keys.

Although security and IT teams have primarily focused their efforts (and resources) on securing human identities, now’s the time they must shift their focus to machine identities. According to our report, 81% of respondents experienced multiple disruptive outages because of expired certificates in the past 24 months. When these certificate-related outages occur, it can take businesses 3.3 hours on average to respond and remediate. Today, enterprises are reporting an increase in frequency and impact of outages caused by untracked or expired certificates. Because shorter SSL/TLS certificate lifespans have become the new norm, expired certificates have reached an all-time high.

The growing number of devices relied upon by today’s modern business shows no signs of slowing down. It’s also true for the number of certificates and keys, making it increasingly challenging to secure machine identities across enterprises. Luckily, we are seeing businesses starting to prioritize properly securing and managing their machine identities. Our research confirms that 66% of IT decision-makers continue to deploy more keys and digital certificates across their IT landscape.

When it comes to scaling, focus on automation

Enterprise IT teams are laser-focused on driving the business forward by scaling and innovating quickly to exceed customer expectations and outpace the competition. Nothing stunts organizational growth like time-consuming, manual processes that take valuable resources away from other critical tasks. When it comes to people and machine identities, heavily relying on manual processes (tracking certificate expiration dates in an Excel sheet, for example) prevents an organization from being able to scale.

The bigger the business, the more devices, and the more keys needed for proper machine identity management. The growing number of keys needed to effectively run an enterprise has become unmanageable. According to our report, 70% say the growth of keys and certificates has increased an operational burden.

During substantial company growth, lifecycle automation becomes a top priority for public key infrastructure (PKI) and certificate management. It helps teams ensure that no machine identity and its corresponding certificate slip through the cracks. Whether an organization experiences global expansion or M&A, certificate lifecycle automation can offer the enterprise-wide visibility needed for optimal identity protection. In fact, lifecycle automation (60%) and complete visibility of all certificates (57%) both emerged as top needs for PKI and certificate management.

Businesses can mitigate that burden by relying more on automation to alleviate the strenuous process away from their security and IT teams. Automation can keep a log of the number of keys and certificates, keep track of each key and certificate expiration, and when that expiration time comes, timely issue new keys and certificates to avoid detrimental outages.

Implement a zero-trust strategy

Today, zero-trust has emerged as a critical and strategic enterprise undertaking. Defined as a concept that puts an extra level of protection to only permit authorized users, devices and accessibility, zero-trust helps businesses protect themselves from external threats.

PKIs, keys and certificates, all play a critical role in implementing a zero-trust strategy and having strong identities and those identities need to be managed. The report also found that 55% ranked zero-trust as a top driver for the increase of PKI, keys, and certificates.

When implementing a zero-trust strategy, businesses should evaluate identity during the authentication and authorization process to ensure that a user really is who they say they are, using the resource they are entitled to, no matter where they are.

The rapid shift to the cloud

Companies continue to go "all-in" on the cloud. This pushes the boundaries of identity and can challenge organizations to find the right solutions to secure both people and devices in hybrid environments. How can organizations face the identity challenges that come with today’s cloud adoption? Crypto-agility. Being crypto-agile means a business can quickly and effectively manage and adapt public key infrastructure (PKI) and machine identities to new algorithms and standards.

Through crypto-agility, businesses can execute a proactive approach to securing identities, and can respond to breaches or incidents at the optimal speed. Because when it comes to breaches, timing is everything. Some 57% percent confirmed that crypto-agility has become a top priority for their organization's digital security.

In the years ahead, as more enterprises modernize their PKI and migrate to the cloud, we can expect an increasing number to focus on crypto-agility in their incident response plans. This will further prepare them to handle today’s emerging threats aimed towards identities.

Based on the report’s findings, it’s clear there are many reasons why machine management will continue on as a priority for today’s modern business. Whether a business looks to scale, implement a zero-trust strategy, or shift to the cloud, machine identity plays a critical role.

Chris Hickman, chief security officer, Keyfactor

An In-Depth Guide to Identity

Get essential knowledge and practical strategies to fortify your identity security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds